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A fundamental task in modern cryptography is the joint computation of a function which has two 
inputs, one from Alice and one from Bob, such that neither of the two can learn more about the 
other's input than what is implied by the value of the function. In this Letter, we show that any 
quantum protocol for the computation of a classical deterministic function that outputs the result to 
both parties (two-sided computation) and that is secure against a cheating Bob can be completely 
broken by a cheating Alice. Whereas it is known that quantum protocols for this task cannot be 
completely secure, our result implies that security for one party implies complete insecurity for the 
other. Our findings stand in stark contrast to recent protocols for weak coin tossing, and highlight 
the limits of cryptography within quantum mechanics. We remark that our conclusions remain 
valid, even if security is only required to be approximate and if the function that is computed for 
Bob is different from that of Alice. 



PACS numbers: 03.67.Dd, 03.67.Ac, 03.67.Hk 

Traditionally, cryptography has been understood as 
the art of "secret writing", i.e., of sending messages se- 
curely from one party to another. Today, the research 
field of cryptography comprises much more than encryp- 
tion and studies all aspects of secure communication and 
computation among players that do not trust each other, 
including tasks such as electronic voting and auctioning. 
Following the excitement that the exchange of quantum 
particles may allow for the distribution of a key that 
is unconditionally secure [BB84, Eke91 , a level of secu- 
rity unattainable by classical means, the question arose 
whether other fundamental cryptographic tasks could 
be implemented with the same level of security using 
quantum mechanical effects. For oblivious transfer and 
bit commitment, it was shown that the answer is nega- 
tive |LC97| [May97| . Interestingly, however, a weak ver- 
sion of a coin toss can be implemented by quantum me- 
chanical means |MocQ7j . 

In this Letter we study the task of secure two-party 
computation. Here, two mistrustful players, Alice and 
Bob, wish to compute the value of a classical determin- 
istic function /, which takes an input u from Alice and 
v from Bob, in such a way that both learn the result of 
the computation and that none of the parties can learn 
more about the other's input, even by deviating from the 
protocol. As our main result we show that any quantum 
protocol which is secure against a cheating Bob can be 
completely broken by a cheating Alice. Formally, we de- 
sign an attack by Alice which allows her to compute the 
value of the function / for all of her inputs (rather than 
only a single one, which would be required from a secure 
protocol). 

Our result strengthens the impossibility result for two- 
sided secure two-party computation by Colbeck, where 
he showed that Alice can always obtain more informa- 
tion about Bob's input than what is implied by the value 
of the function Col()7 . In a similar way, we complement 



a result by Salvail, SchafTner and Sotakova [SSS09 show- 
ing that any quantum protocol for a non-trivial primitive 
necessarily leaks information to a dishonest player. Our 
result is motivated by Lo's impossibility result for the 
case where only Alice obtains the result of the function 
(one-sided computation) [Lo97 . Lo's approach is based 
on the idea that Bob does not have any output; hence, 
his quantum state cannot depend on Alice's input. Then, 
Bob has learned nothing about Alice's input and a cheat- 
ing Alice can therefore still change her input value (by 
purifying the protocol) and thus cheat. 

In the two-sided case, this approach to proving the 
insecurity of two-party computation fails as Bob knows 
the value of the function and has thus some information 
about Alice's input. In order to overcome this problem 
we develop a new approach. We start with a formal defi- 
nition of security based on the standard real/ideal- world 
paradigm from modern cryptography. In our case of a 
classical functionality, this definition guarantees the ex- 
istence of a classical input for Bob in the ideal world, 
even if he is, in the real world, dishonestly purifying his 
steps of the protocol. Since real and ideal are indistin- 
guishable for a secure protocol and since a purification 
of the classical input cannot be part of Bob's systems, 
Alice can now obtain a copy of this input by applying a 
unitary — constructed with help of Uhlmann's theorem — 
to her output registers and, henceforth, break the proto- 
col. 

We wish to emphasize that the above conclusion re- 
mains valid if the protocol is not required to be perfectly 
secure (nor perfectly correct). More precisely, if the pro- 
tocol is secure up to a small error against cheating Bob, 
then Alice is able to compute the value of the function for 
all of her inputs with only a small error. Since the error 
is independent of the number of inputs that both Alice 
and Bob have, our analysis improves over Lo's result in 
the one-sided case. In fact, our results apply to this case 



since, more generally, they remain true should Bob re- 
ceive the output of a function g, different from Alice's /, 
as a careful look at our argument reveals. 

Security Definition. Alice and Bob, at distant loca- 
tions and only connected with a quantum channel, wish 
to execute a protocol that takes an input u from Alice 
and an input v from Bob and that outputs the value 
f(u, v) of a classical deterministic function / to both of 
them. Since Alice does not trust Bob, she wants to be 
sure that the protocol does not allow him to extract more 
information about her input than what is implied by the 
output value of the function. The same should be true if 
Alice is cheating and Bob is honest. Whereas for simple 
functions this intuitive notion of security can be made 
precise by stating a list of security requirements for cer- 
tain quantum states of Alice and Bob, such an approach 
seems very complicated and prone to pitfalls for general 
functions /, in particular, if we want to consider pro- 
tocols that are only approximately secure. We therefore 
follow the modern literature on cryptography where such 
situations have been in the center of attention for many 
years (cf. zero-knowledge, composability) and where a 
suitable notion of security, known as the real/ideal- world 
paradigm, has been firmly established. 

In this paradigm we first define an ideal situation 
in which everything is computed perfectly and securely 
and call this the ideal functionality. Informally, a two- 
party protocol is secure if it looks to the outside world 
just like the ideal functionality it is supposed to im- 
plement. More concretely, a protocol is deemed se- 
cure if for every adversarial strategy, or real adver- 
sary, there exists an ideal adversary interacting only 
with the ideal functionality such that the execution of 
the protocol in the real world is indistinguishable from 
this ideal world. If such a security guarantee holds, 
it is clear that a secure protocol can be treated as a 
call to the ideal functionality and hence, it is possible 
to construct and prove secure more complicated proto- 
cols in a modular fashion. See [CanOO, Can96, Gol04 
and [ UnrQ41 lUnrlOl IBMQ41 IFSQ9] for further information 
about this concept of security in the context of classical 
and quantum protocols, respectively. 

There exist different meaningful ways to make the 
above informal notion of the real/ideal- world paradigm 
precise. All these notions have in common that the exe- 
cution of the protocol by the honest and dishonest play- 
ers is modeled by a completely positive trace-preserving 
(CPTP) map. Likewise, every ideal adversary interact- 
ing with the ideal functionality is composed out of CPTP 
maps modeling the pre- and postprocessing of the in- and 
outputs to the ideal functionality (which is a CPTP map 
itself). A desirable notion of security is the following: 
for every real adversary there exists an ideal adversary, 
such that the corresponding CPTP maps are (approxi- 
mately) indistinguishable. The natural measure of dis- 
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FIG. 1: Illustration of the security definition. A protocol is 
secure against Bob, if the real protocol (left) can be simulated 
as an interaction with the ideal functionality T (right). 



tinguishability of CPTP maps in this context is the dia- 
mond norm, since it can be viewed as the maximal bias 
of distinguishing real and ideal world by supplying in- 
puts to the CPTP maps and attempting to distinguish 
the outputs by measurements (i.e. by interacting with an 
environment). This rather strong notion of security nat- 
urally embeds into a composable framework for security 
in which also quantum key distribution can be proven 
secure (see e.g. [CKR09] ) . 

Since our goal is the establishment of a no-go theo- 
rem, we consider a notion of security which is weaker 
than the above in two respects. First, we do not allow 
the environment to supply an arbitrary input state but 
only the purification of a classical input (see definition of 
Puvr below), and second, we consider a different order 
of quantifiers: instead of "V real adversary 3 ideal adver- 
sary V input, the output states are indistinguishable" as 
a security requirement we only require "V real adversary 
V input 3 ideal adversary, the outputs states are indis- 
tinguishable." This notion of security is closely related 
to notions of security considered in [FS09, UnrlO] and is 
further discussed in the appendix. 

We will now give a formal definition of security. Fol- 
lowing the notation of |FSQ9j , we denote by A and B the 
real honest Alice and Bob and add a prime to denote dis- 
honest players A', B' and a hat for the ideal versions A, B. 
The CPTP map corresponding to the protocol for honest 
Alice and dishonest Bob is denoted by 7Ta,b' • Both honest 
and dishonest players obtain an input, in Alice's case u 
(in register U) and in Bob's case v (in register V) drawn 
from the joint distribution p(u,v). The output state of 
the protocol, augmented by the reference R, takes the 
form id# (g) 7Ta,b ; (puvr), where Puvr is a purification of 

T,u,vP( U ^ V )\ U )( U \u\ V )( V \v' 

Since we are faced with the task of the secure eval- 
uation of a classical deterministic function, we con- 
sider an ideal functionality T which measures the 
inputs in registers U and V and outputs orthogo- 
nal states in registers X and Y that correspond to 
the function values. Formally, F (\u)(u r \jj\v)(v' \y) := 
$u,u>$v,v> \f(u, v))(f(u, v)\x\f(u, v))(f (u, v)\y, where S de- 
notes the Kronecker delta function. When an ideal hon- 
est A and an ideal adversary B' interact with the ideal 
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functionality, we denote the joint map by J 7 ^ g, : UV —> 
XY' (see Figure [l]). A just forwards the in- and outputs 
to and from the functionality, whereas B' pre- and post- 
processes them with CPTP maps A^^^ K and A 2 KY ^ y/ 
resulting in a joint map T ^ B , = ^x^x (g) y/ ] o 

I^uv^xy ® id x] ° [i^u^u ® A v^vk^ where ° denotes 
sequential application of CPTP maps. 

In the following we let e > and write p ~ £ a if 

C{p 1 (j) < e. C(p,a) is the purified distance, defined as 

y/l — a) 2 for a) := tr ^J~^fpo\fp the fidelity. 

Definition. ^4 (two-party quantum) protocol tt for f is 
e-correct if for any distribution p(u, v) of the inputs it 
holds that 

[id R ^7r/\^}(puvR) ~ £ [id R <g> F^bKpuvr)- 

The protocol is e- secure against dishonest Bob if for any 
p(u, v) and for any real adversary B' , there exists an ideal 
adversary B / such that 

[\d R m^E'](puvR) ~ £ [id R ® F^bMpuvr)' 

e-security against dishonest Alice is defined analogously. 

Since T is classical, we can augment it so that 
it outputs v in addition. More precisely, we define 
Tau 9 : UV -+ XYV by F aug (\u)(u'\ ® \v)(v'\y) := 
S Ui u'S ViV '\f(u, v))(f(u, v)\ x ® \f(u, v))(f(u, v)\y <8> \v)(v\y. 
which has the property that T = tr^ o T aU g • For a con- 
crete input distribution we define cr RX vY' := i^R ® 
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Prxy' for 

Prxy' •= [idi? (8) TTAjB'KPc/y^) if the protocol is secure 
against cheating Bob. We call cr RX y Y , a secure state for 
input distribution p(u,v). 

Main Results. The proofs of our main results build 
upon the following lemma which constructs a cheating 
strategy for Alice that works on average over the in- 
put distribution p(u,v). Subsequently we will show how 
this result can be used to devise a cheating strategy that 
works for all distributions at the same time. 

Lemma. If a protocol tt for the evaluation of f is e- 
correct and e-secure against Bob, then for all input dis- 
tributions p(u,v) there is a cheating strategy for Alice 
such that she obtains v with some probability distribution 
q(v\u,v) satisfying li^^pK^g^lM,?;)^^)^^^ > 
1 — 6e . Furthermore, q(v\u,v) is almost independent 
of u; i.e., there exists a distribution q(v\v) such that 
i2 u ,v,vP( u i v )\<l(v\u,v) -q(v\v)\ < 6s. 

Proof. We first construct a "cheating unitary" T for Alice 
and then show how Alice can use it to cheat successfully. 

Let Alice and Bob play honestly but let them purify 
their protocol with purifying registers X[ and Y[ respec- 
tively. We assume without loss of generality that honest 
parties measure their classical input and hence, X[ and 



Y{ contain copies of u and v, respectively. We denote by 
\&) R xx[Y{Y ^ ne state of all registers at the end of the 
protocol. Notice that tracing out X[ from \&) R xx[y{y 
results in a state tr X f \®}(®\rxx'y'y ~ Prxy[y which 
is exactly the final state when Alice played honestly and 
Bob played dishonestly with the following strategy: he 
plays the honest but purified strategy and outputs the 
purification of the protocol (register Y{) and the output 
values f(u,v) (register Y). His combined dishonest reg- 
ister is Y' = Y{Y . Since the protocol is ^-secure against 
Bob by assumption, there exists a secure state cr RX vY' 
satisfying 



0~RXY' ~£ PRXY' 



(i) 



Let RX pvY> ^ e a purification of cr RX y Y > with puri- 
fying register P. Note that RX pvy' * s a ^ so a purifi- 
cation of o~ R xy' i this time with purifying registers PV . 
Recall that \&} R xx'Y' P UI> ifi es Prxy' with purifying reg- 
ister X[. Since ct R xy' ~s Prxy' we can use Uhlmann's 
theorem [Uhl76 to conclude that there exists an isometry 
T = T x[ ^ P y (with induced CPTP map T = T x ,_+ P y) 
such that 
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RXPVY' 



(2) 



This concludes the construction of T = 7\ 



L X[^PV 

We will now show how Alice can use the isometry T to 
cheat. Notice that tracing out Y[ from \^) R xx'yy' re ~ 
suits exactly in the final state when Bob played honestly 
and Alice played dishonestly with the following strategy: 
she plays the honest but purified strategy and outputs the 
purification of the protocol (register X[) and the output 
values f(u,v) (register X). She then applies T x , P y, 

measures register V in the computational basis and ob- 
tains a value v. It remains to argue that Alice can com- 
pute f(u, v) with good probability based on the value v 
that she has obtained from measuring register V. 

Let M- R y X De the CPTP map that measures registers 
X and V in the computational basis. Tracing over 
PY' and applying M R y X on both sides of Equation (J2|, 
we find 

[M RX y <g> tY PY >}([T X ,^ p y id RXY >](\$)($\ RXX , Y ,)) 

RXPVY' ) (3) 

by the monotonicity of the purified distance under CPTP 
maps. The right-hand side of Equation (|3| equals 



^2 P(u,v)q(v\v)\uv}(uv\ R <g> \v)(v\ v <8> \f(u,v))(f(u,v)\ 



X ' 



for some probability distribution q(v\v) that is condi- 
tioned only on Bob's input v, since RX pvy' ^ s a P u " 
rification of the secure state o- RX y Y ,. The left-hand side 
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of Equation (|3| equals 

p(u,v)q(v\u,v)\uv)(uv\ R (g) 

u,v,v,x (4) 

(g) r(x|w, 

for some conditional probability distributions q(v\u,v) 
and r{x\u, v, v). Because of the correctness of the pro- 
tocol, term Q is £-close to 

^2 P( u ' v )v(v\u, v)\uv)(uv\ R ®\v)(v\y®\f(u, v))(f(u, v)\ x 

u,v,v 

(5) 

for some conditional probability distribution q(v\u,v). 
Noting that the e-closeness of Q and ([5| implies that 
p('-> ")q('\'i ') an d ') ( wnen interpreted as quan- 

tum states) are £-close in purified distance, we can re- 
place p(',')q('\'i') m © by p(-,-)^('h') increasing the 
purified distance to the left-hand side of Equation (|3| 
only to 2s. Putting things together, Equation ([3| im- 
plies 

p(u,v)q(v\u,v)\uv)(uv\ R \v)(v\y \f(u,v))(f(u,v)\ x 

u,v,v 

(6) 

«3e P(u,v)q(v\v)\uv){uv\ R \v)(v\y \f{u,v))(f(u,v)\ x . 

u,v,v 

Sandwiching both sides with tr[Z-], where Z = 
T, u ,v,v \uv)(uv\ R ®\v)(v\y® \f(u, v))(f(u, v)\ x we find the 
first claim since the purified distance of two distributions 
upper bounds their total variation distance and since the 
latter does not increase under tr[Z-]. The second claim 
follows similarly by tracing out register X from Equa- 
tion ([6). □ 

Applying the lemma to the uniform distribution we 
immediately obtain our impossibility result for perfectly 
secure protocols. 

Theorem 1. Let tt be a protocol for the evaluation of 
f which is perfectly correct and perfectly secure (e = 0) 
against Bob. Then, if Bob has input v, Alice can compute 
f(u, v) for all u. 

We note that this implies that Alice can completely 
break the security for any non-trivial function /. 

Proof. Letting p(u, v) = pjp^ and s = in the lemma 
results in the statement that if Alice has input uo, then 
she will obtain v from the distribution q(v\uo,v) which 
equals q(v\v). But since also q(y\u,v) = q(v\v) for all u, 
we have j U ^ V j J2 u ,v,v Q(v\u , v)S fM JM = 1. In other 
words, all v that occur (i.e. that have q(v\v) > 0) satisfy 
for all u, f(u,v) = f(u,v). Alice can therefore compute 
the function for all u. □ 



The impossibility result for the case of imperfect pro- 
tocols is also based on the lemma, but requires a subtle 
swap in the order of quantifiers (from "V input 3 ideal ad- 
versary" to "3 ideal adversary V input" ) which we achieve 
by use of von Neumann's minimax theorem. 

Theorem 2. If a protocol tt for the evaluation of f is 
e-correct and e-secure against Bob, then there is a cheat- 
ing strategy for Alice (where she uses input uo while 
Bob has input v) which gives her v distributed accord- 
ing to some distribution Q(v\uq, v) such that for all u: 
Fr^Q[f(u,v)=f(u,v)} > l-28e. 

Proof. The argument is inspired by [DKSW07 . For a 
finite set <S, we denote by A (<S) the simplex of prob- 
ability distributions over S. Denote by W the set of 
pairs (u,v). Consider a finite e-net V of A(VV) in to- 
tal variation distance; and to each distribution in V 
the corresponding cheating unitary T constructed in 
the proof of the lemma. We collect all these uni- 
taries in the (finite) set £ and assume that T deter- 
mines p uniquely, as we could include the value p into 
T. For each such T, let q(y\u,v,T) and q(v\v,T) be 
the distributions from the lemma. Define the pay- 
off function g(u,v,T) := £~ q(v\u,v, T)5 fM JM - 
| g (£!?/, T) — q(v\v : T)\. The lemma then yields 

1 - 12s < mm peV max T ^ J2 u ,v P( u > v -> T ) which is 
at most 2s + min p / GA(w) max T ^ J2 u ,v P'K v )d( u i v i T )> 
since replacing p by p' incurs only an overall change 
in the value by 2s (as —1 < g(u,v,T) < 1) . By 
von Neumann's minimax theorem, this last term equals 
2s + max p // GA(£:) min (w>v)GW #K v > t )p"( t ) H3 • 

Hence, we have shown that there is a strategy for Alice, 
where she chooses her cheating unitary T with probabil- 
ity p"(T), such that (for some £1+^2 < 14e) for all u, v, 

^2 Q(v\u, v)6 f ( UiV )j( Ui v) > 1 - si (7) 

v 

and Y.v \Q@\u,v) - Q(v\v)\ < Ev,tP( T M^v,T) - 
q(v\v,T)\ < £ 2 , where Q(v\u,v) := ^ T p(T)q(v\u,v,T) 
and Q(v\v) := ^2 T p(T)q(v\v,T). This implies that for 
all u,v, J2v \Q{v\u$,v) - Q(v\u,v)\ < 2s 2 . Combining 
this inequality with Equation ([7]), we find for all u, v, 
T,y Q(v\u , v)Sf( UiV ) if ( Uii) ) > 1 - s 1 - 2s 2 > 1 - 28s . □ 

One might wonder whether Theorem [2] can be 
strengthened to obtain, with probability 1 — 0(e), a v 
such that for all u : f(u,v) = f(u,v). It turns out 
that this depends on the function /: when / is equal- 
ity [EQ(iz, v) = 1 iff u = v] and inner-product modulo 

2 [IP (u,v) = ^2iV>i ■ Vi mod 2], the stronger conclusion 
is possible. However for disjointness [DISJ(i£, v) = iff 
3i : ui = Vi = 1] such a strengthening is not possible 
showing that our result is tight in general. 

For EQ, we reason as follows. Set u = v in 
Theorem |2j Alice is able to sample a v such 
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that J2vQ(^\ u o^)^eq(v,v),eq(v,v) > 1 - 28e. Since 

*EQ(v,t;),EQ(t;,t;) = 1 IS V = V, Q(v\u ,v) > 1 - 28e. 

When / is IP, we pick u uniform at random and obtain 
T,v Q(^\ u o^)(^~ n T,u S iP(u,v),iP(u,v)) > l-28e. Using 
2 " n En^P(n^),iP(n,^) = 1 if v = v, and \ if v ^ v, we 
find Q(v\uq, v) + |(1 — Q(v|^o 7 ^)) > 1 — 28e, which im- 
plies (5(^1^0,^) > 1 — 56e. Interestingly, for DISJ such 
an argument is not possible. Assume that we have a 
protocol that is ^-secure against Bob. Bob could now 
run the protocol normally on strings v with Hamming 
weight \v\ < n/2, but on inputs v with \v\ > n/2 he 
could flip, at random, y/n of u's bits that are 1. It is 
not hard to see that this new protocol is still e-secure 
and e + 0(^)-correct. The loss in the correctness is due 
to the fact that, on high Hamming- weight strings, the 
protocol may, with a small probability, not be correct. 
On the other hand, on high-Hamming-weight inputs, the 
protocol can not transmit or leak the complete input v 
to Alice, simply because Bob does not use it. 
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Appendix: Additional Comments about the Security 
Definition 

Since this work presents impossibility results for the 
secure computation of /, one may wonder how the results 
are affected when the notions of security are weakened. 
In particular, one may ask whether similar results can be 
obtained when, instead of the real/ideal- world paradigm, 
notions of security more akin to the ones used in the 
well-known no-go proofs for bit commitment and one- 
sided computation would be used. Whereas we do not 
know the answer to this question in general, we wish to 
emphasize the difficulty in formalizing such notions of 
security satisfactorily. 

With regards to the real/ideal- world paradigm we will 
now comment on some specific notions of security used 
in this work. A central object in the real/ideal- world 
paradigm is the ideal functionality. Since we are faced 
with the task of the secure evaluation of a classical deter- 
ministic function, we chose to consider an ideal function- 
ality which measures the inputs it receives and outputs 
orthogonal states to the parties that correspond to the 
function values. Note that in certain situations one may 



be satisfied with different (possibly weaker) ideal func- 
tionalities for this task; we leave open the question to 
what extend our results remain valid in such situations. 

One may also wonder whether the purification of the 
inputs could not be omitted. Note that such an omission 
would correspond to a serious limitation of the environ- 
ment to distinguish the real and from the ideal world. 
With respect to the stronger notion of security discussed 
in the main text, for instance, there can be a large dif- 
ference between the diamond norm (which corresponds 
to purified inputs) and the induced norm (where the 
maximisation is over inputs that are not purified), see 
e.g. [DKSW07 . This difference does not occur in the 
case of perfectly secure protocols, where one can there- 
fore omit the reference. The omission of the reference 
has a more serious effect on the weaker notion of security 
considered in this work, even in the case of perfect secu- 
rity, since we only consider (purified) classical inputs; in 
fact, omission would invalidate the no-go result as we will 
now show. We leave it as an open question whether The- 
orem 2 can be proven were arbitrary (unpurified) inputs 
considered. 

The following example was suggested to us by an 
anonymous referee and shows the necessity of requiring 
the register R in our security definition. Consider the 
classical deterministic function /((sq?5i),6) = (6, Sfc) of 
n-bit strings so? 5 i an d a choice bit b which is inspired 
by a one-out-of-two-string-oblivious transfer but outputs 
both the choice bit and the string of choice to both Alice 
and Bob. Let us consider the following protocol 7Ta,b- 
Bob sends b to Alice and Alice responds with s&. 

Clearly, this protocol is secure against cheating Bob, 
who learns no more than either so or si. One might also 
think that this protocol is perfectly secure against cheat- 
ing Alice because Alice learns Bob's choice bit anyway. 
Indeed, if we defined security without purifying register 
R one could construct an ideal adversary Alice A' from 
any real adversary A' as follows. Let A' simulate two in- 
dependent copies of A' and give b = to the first and 
b = 1 to the second copy which both respond with a 
string so and s±, respectively. Let A' input these two 
strings (sq? si) into the ideal functionality T and receive 
(6, 55) as output from T . Output whatever the real copy 
of A / corresponding to the bit b outputs (and discard 
the other copy). This simulation generates an output 
in the ideal world which is identically distributed to the 
one from the real protocol. Hence, the protocol would 
be perfectly secure against Alice. Notice that this exam- 
ple shows that an analogue of our Theorem 1 cannot be 
proven for this weaker security definition. 

We stress that the above protocol is not secure accord- 
ing to our security definition by virtue of the purifying 
register R. Consider the uniform input distribution over 
n-bit strings («o? 5 i) m the 2n-qubit register U and the 
choice bit b in register V. Hence, the input state Prjjv 
if fully entangled between R and UV. Let us consider 
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the following real adversary A' who measures the first 
n qubits of U in the computational basis in case b = 
or performs the measurement in the Hadamard basis if 
b = 1 and returns the measurement outcome as Due 
to the entanglement, the first n qubits of R collapse to the 
measured state. Notice that for this adversary A', the ar- 
gument above is no longer applicable, because A' cannot 
simulate two independent copies of A' as the U register is 
only available once. In fact, for this adversarial strategy 
A 7 , only one of the two strings sq, si is well-defined as the 
other string corresponds to the measurement outcome in 
a complementary basis of the same quantum state. This 
highlights the intuitive security problem of the suggested 
protocol, namely that it is not guaranteed that both so 
and si classically exist for a cheating Alice. This shows 
that the protocol is not secure against cheating Alice and 
that it therefore does not stand in contradiction with our 
results. 
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